Microsoft Publishes Bi-annual Security Intelligence Report (SIR)
15.3.2018 securityweek Analysis

Microsoft's 23rd bi-annual Security Intelligence Report (SIR) focuses on three topics: the disruption of the Gamarue (aka Andromeda) botnet, evolving hacker methodologies, and ransomware. It draws on the data analysis of Microsoft's global estate since February 2017, including 400 billion email messages scanned, 450 billion authentications, and 18+ billion Bing webpage scans every month; together with the telemetry collected from the 1.2 billion Windows devices that opt in to sharing threat data with Microsoft.

It is worth noting that Microsoft applies machine learning (ML) artificial intelligence to this data to tune its own security software. Since the efficiency of ML-based endpoint protection relies on both the algorithms employed, and the size of the data pool from which it learns, the implication is that Windows Defender has the potential to become an increasingly effective protection tool.

Gamarue

Gamarue was one of the largest botnets in the world. From 2011 it had evolved through five active versions and had been involved in distributing Petya and Cerber ransomware, Kasidet (aka the Neutrino bot), the Lethic spam bot, and data stealing malware such as Ursnif, Carberp and Fareit.

In partnership with ESET, Microsoft had been researching the Gamarue infrastructure and 44,000 associated malware samples, since December 2015. Details on 1,214 C&C domains and IPs, 464 distinct botnets and more than 80 malware families were collected and handed to law enforcement agencies around the world. On November 29, 2017, Gamarue's C&C servers were disconnected and replaced with a sinkhole.

Since the disruption, the sinkhole has collected the IP addresses of 23 million infected devices. Microsoft has watched the number of Gamarue-infected devices reduce month by month, from around 17 million in December 2017 to 14 million in January 2018, and less than 12 million in February. Johnnie Konstantas, senior director with the Microsoft Cybersecurity Enterprise Group, told SecurityWeek, "The team reached out to ISPs, law enforcement agencies and identified companies, and told them about the infected IPs. Those organizations could identify the individual infected devices and organize the mitigations -- which is what reduces the number of infected devices still connecting to the sink-hole." Microsoft does not use the botnet to directly warn the infected users; but ESET comments, "at least no new harm can be done to those compromised PCs."

Hacker routes

Over the last few years -- not least because of the introduction of machine learning techniques -- security protections have improved, and direct hacking has become more difficult and time-consuming. While still employed by well-resourced actors -- such as nation-state affiliated groups -- hackers in general have diverted their attention to the 'low-hanging fruit'. The SIR describes three of these routes: social engineering, poorly-secured cloud apps, and the abuse of legitimate software platform features.

Social engineering attacks are largely synonymous with phishing attacks. The SIR notes "a significant volume of phishing-based email messages at the very end of the year 2017. Phishing was the #1 threat vector (> 50%) for Office 365-based email threats in the second half of calendar year 2017." There are various tools available to help detect phishing, but some academics doubt that even machine learning techniques will be unable to solve the problem.

Microsoft stresses the value of user awareness training. While users are often called 'the weakest link', they are also the first line of defense. Every well-trained user is effectively an individual human firewall.

The second of the low-hanging fruits is poorly secured cloud apps. "We studied about 30 of them," said Konstantas, "looking at the security measures they employed. First you want header security, to prevent attacks like cookie poisoning or cross-site scripting that take over the session. Then you also want encryption of data in motion between the end device and the cloud, and finally encryption of data at rest."

Microsoft found that about 79% of storage apps, and 86% of collaboration apps did not have all three measures. "They may have had one or two of the three," she continued, "but not all three. This is a big deal, because you're talking about potentially valuable corporate data accessible to adversaries, and also the possibility of malware infection coming back to the device."

The problem is intensified by shadow IT -- companies may not even be aware that staff are using these insecure apps. "Mitigation here," she said, "is focused on cloud access security brokers (CASBs) that can apply all three security measures to traffic going to the cloud, can monitor what is going on in the cloud, and can identify what unsanctioned cloud apps are being used by staff."

The third of the low-hanging fruits is the abuse of legitimate services. The SIR gives just one example: the exploitation of DDE in October and November 2017. In one quoted example, an attached Word document was able, through DDE, to download and run malicious payloads such as the Locky ransomware.

Surprisingly, however, there is no mention of the abuse of PowerShell. PowerShell, activated from within weaponized Office attachments, is increasingly used by hackers to deliver 'fileless' attacks. McAfee's Q4 2017 Threat Report -- also published this week -- reports, "In 2017, McAfee Labs saw PowerShell malware grow by 267% in Q4, and by 432% year over year, as the threat category increasingly became a go-to toolbox for cybercriminals. The scripting language was irresistible, as attackers sought to use it within Microsoft Office files to execute the first stage of attacks." Operation Gold Dragon, in December 2017, is an example of the use of PowerShell by hackers.

Ransomware

Ransomware is, not surprisingly, the third major topic discussed in SIR 23. Last year will always be remembered as the year of three particular global ransomware outbreaks: WannaCry, NotPetya and Bad Rabbit. The first two of these rapidly became global in extent using an exploit known as EternalBlue; an NSA 'weapon' stolen and publicly released by the Shadow Brokers.

One of the disturbing aspects of these outbreaks is that Microsoft had already patched the vulnerability used by EternalBlue to spread from machine to machine. Konstantas confirmed to SecurityWeek that the first Microsoft knew about the EternalBlue exploit used in WannaCry was when it was released by Shadow Brokers; that is, Microsoft was not informed by the NSA that this exploit had been stolen by Shadow Brokers prior to it entering the public domain. This demonstrates both the speed with which Microsoft handles serious vulnerabilities, and the slowness with which large numbers of users take advantage of available patches. Azure customers were automatically protected, confirmed Konstantas.

According to the SIR, the three most commonly encountered ransomwares in 2017 were Android LockScreen, WannaCry and Cerber. LockScreen is interesting since it is Android malware that crosses to Windows devices when users sync their phones or download Android apps, usually side loading from outside of the Google Play store, via Windows.

The report has five primary recommendations to counter the threat of ransomware: backup data; employ multi-layered security defenses; upgrade to the latest software and enforce judicious patching; isolate or retire computers that cannot be patched; and manage and control privileged credentials. A new survey from Thycotic demonstrates just how poor many organizations are at managing privileged accounts.

There is no mention of a sixth potential recommendation -- if infected with ransomware, immediately visit the NoMoreRansom project website. This project aggregates known ransomware decryptors, and it is possible that victims might be able to recover encrypted files without recourse to the risky option of paying the ransom. For now, Microsoft does not appear to be a partner in this project.